aws-samples · Dec 6, 2023
diff --git a/‎identity-policies/check-access-to-sensitive-resource/cloudformation-stack.md
Lines changed: 49 additions & 49 deletions b/‎identity-policies/check-access-to-sensitive-resource/cloudformation-stack.md
Lines changed: 49 additions & 49 deletions
diff --git a/‎identity-policies/check-access-to-sensitive-resource/ec2-image.md
Lines changed: 41 additions & 41 deletions b/‎identity-policies/check-access-to-sensitive-resource/ec2-image.md
Lines changed: 41 additions & 41 deletions
diff --git a/‎identity-policies/check-access-to-sensitive-resource/ec2-instance.md
Lines changed: 41 additions & 41 deletions b/‎identity-policies/check-access-to-sensitive-resource/ec2-instance.md
Lines changed: 41 additions & 41 deletions
@@ -59,37 +59,37 @@ This reference policy checks if a candidate policy grants access to any of the l
 ###### Candidate policy 1: PASS - does not grant access to sensitive stack
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": [
-				"cloudformation:UpdateStack",
-				"cloudformation:DeleteStack",
-				"cloudformation:RollbackStack"
-			],
-			"Resource": "arn:aws:cloudformation:*:*:stack/NotMySensitiveStack/*"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cloudformation:UpdateStack",
+                "cloudformation:DeleteStack",
+                "cloudformation:RollbackStack"
+            ],
+            "Resource": "arn:aws:cloudformation:*:*:stack/NotMySensitiveStack/*"
+        }
+    ]
 }
 ```
 
 ###### Candidate policy 2: PASS - explicitly denies access to sensitive stack
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": "cloudformation:*",
-			"Resource": "*"
-		}, 
-		{
-			"Effect": "Deny",
-			"Action": "*",
-			"Resource": "arn:aws:cloudformation:*:*:stack/MySensitiveStack/*"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "cloudformation:*",
+            "Resource": "*"
+        }, 
+        {
+            "Effect": "Deny",
+            "Action": "*",
+            "Resource": "arn:aws:cloudformation:*:*:stack/MySensitiveStack/*"
+        }
+    ]
 }
 ```
 
@@ -98,41 +98,41 @@ This reference policy checks if a candidate policy grants access to any of the l
 ###### Candidate policy 3: FAIL - grants access to use the DeleteStack action on stack/MySensitiveStack/*
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": "cloudformation:DeleteStack",
-			"Resource": "arn:aws:cloudformation:*:*:stack/MySensitiveStack/*"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "cloudformation:DeleteStack",
+            "Resource": "arn:aws:cloudformation:*:*:stack/MySensitiveStack/*"
+        }
+    ]
 }
 ```
 
 ###### Candidate policy 3: FAIL - grants access to use the DeleteStack action and stack/MySensitiveStack/* is included in the resource wildcard.
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": "cloudformation:DeleteStack",
-			"Resource": "arn:aws:cloudformation:*:*:stack/*Sensitive*/*"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "cloudformation:DeleteStack",
+            "Resource": "arn:aws:cloudformation:*:*:stack/*Sensitive*/*"
+        }
+    ]
 }
 ```
 
 ###### Candidate policy 4: FAIL - grants access to use all CloudFormation actions and stack/MySensitiveStack/* is included in the resource wildcard.
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": "cloudformation:*",
-			"Resource": "*"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "cloudformation:*",
+            "Resource": "*"
+        }
+    ]
 }
 ```
@@ -57,37 +57,37 @@ This reference policy checks if a candidate policy grants access to any of the l
 ###### Candidate policy 1: PASS - does not grant access to sensitive image
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": [
-				"ec2:RunInstances",
-				"ec2:CopyImage",
-				"ec2:ExportImage"
-			],
-			"Resource": "arn:aws:ec2:*:*:image/ami-notsensitive"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:RunInstances",
+                "ec2:CopyImage",
+                "ec2:ExportImage"
+            ],
+            "Resource": "arn:aws:ec2:*:*:image/ami-notsensitive"
+        }
+    ]
 }
 ```
 
 ###### Candidate policy 2: PASS - explicitly denies access to sensitive image
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": "ec2:*",
-			"Resource": "*"
-		}, 
-		{
-			"Effect": "Deny",
-			"Action": "*",
-			"Resource": "arn:aws:ec2:*:*:image/ami-sensitive"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "ec2:*",
+            "Resource": "*"
+        }, 
+        {
+            "Effect": "Deny",
+            "Action": "*",
+            "Resource": "arn:aws:ec2:*:*:image/ami-sensitive"
+        }
+    ]
 }
 ```
 
@@ -96,27 +96,27 @@ This reference policy checks if a candidate policy grants access to any of the l
 ###### Candidate policy 3: FAIL - grants access to use RunInstances action on sensitive image
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": "ec2:RunInstances",
-			"Resource": "arn:aws:ec2:*:*:image/ami-sensitive"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "ec2:RunInstances",
+            "Resource": "arn:aws:ec2:*:*:image/ami-sensitive"
+        }
+    ]
 }
 ```
 
 ###### Candidate policy 4: FAIL - grants access to use all EC2 actions and the sensitive image is included in the resource wildcard.
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": "ec2:*",
-			"Resource": "*"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "ec2:*",
+            "Resource": "*"
+        }
+    ]
 }
 ```
@@ -75,37 +75,37 @@ This reference policy checks if a candidate policy grants access to any of the l
 ###### Candidate policy 1: PASS - does not grant access to sensitive instance
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": [
-				"ec2:StopInstances",
-				"ec2:TerminateInstances",
-				"ec2:CreateImage"
-			],
-			"Resource": "arn:aws:ec2:*:*:i-not-sensitive"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:StopInstances",
+                "ec2:TerminateInstances",
+                "ec2:CreateImage"
+            ],
+            "Resource": "arn:aws:ec2:*:*:i-not-sensitive"
+        }
+    ]
 }
 ```
 
 ###### Candidate policy 2: PASS - explicitly denies access to sensitive instance
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": "ec2:*",
-			"Resource": "*"
-		}, 
-		{
-			"Effect": "Deny",
-			"Action": "*",
-			"Resource": "arn:aws:ec2:*:*:instance/i-sensitive"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "ec2:*",
+            "Resource": "*"
+        }, 
+        {
+            "Effect": "Deny",
+            "Action": "*",
+            "Resource": "arn:aws:ec2:*:*:instance/i-sensitive"
+        }
+    ]
 }
 ```
 
@@ -114,27 +114,27 @@ This reference policy checks if a candidate policy grants access to any of the l
 ###### Candidate policy 3: FAIL - grants access to use the TerminateInstances action on the sensitive instance
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": "ec2:TerminateInstances",
-			"Resource": "arn:aws:ec2:*:*:instance/i-sensitive"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "ec2:TerminateInstances",
+            "Resource": "arn:aws:ec2:*:*:instance/i-sensitive"
+        }
+    ]
 }
 ```
 
 ###### Candidate policy 4: FAIL - grants access to use all EC2 actions and the sensitive instance is included in the resource wildcard.
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": "ec2:*",
-			"Resource": "*"
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "ec2:*",
+            "Resource": "*"
+        }
+    ]
 }
 ```